Vulnerability Details : CVE-2019-9637
An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.
Threat overview for CVE-2019-9637
Top countries where our scanners detected CVE-2019-9637
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-9637 45,314
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-9637!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-9637
Probability of exploitation activity in the next 30 days: 0.25%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 62 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-9637
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
nvd@nist.gov |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
nvd@nist.gov |
CWE ids for CVE-2019-9637
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9637
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
[security-announce] openSUSE-SU-2019:1503-1: moderate: Security update f
-
https://access.redhat.com/errata/RHSA-2019:3299
RHSA-2019:3299 - Security Advisory - Red Hat Customer Portal
-
https://www.tenable.com/security/tns-2019-07
[R1] PHP Stand-alone Patch Available for Tenable.sc versions 5.7.x to 5.11.x - Security Advisory | TenableĀ®
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
[security-announce] openSUSE-SU-2019:1293-1: moderate: Security update fMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
[security-announce] openSUSE-SU-2019:1572-1: moderate: Security update f
-
https://access.redhat.com/errata/RHSA-2019:2519
RHSA-2019:2519 - Security Advisory - Red Hat Customer Portal
-
https://usn.ubuntu.com/3922-3/
USN-3922-3: PHP vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html
[SECURITY] [DLA 1741-1] php5 security updateMailing List;Third Party Advisory
-
https://usn.ubuntu.com/3922-2/
USN-3922-2: PHP vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.debian.org/security/2019/dsa-4403
Debian -- Security Information -- DSA-4403-1 php7.0Third Party Advisory
-
https://support.f5.com/csp/article/K53825211
Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
[security-announce] openSUSE-SU-2019:1573-1: moderate: Security update f
-
https://security.netapp.com/advisory/ntap-20190502-0007/
March 2019 PHP Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://usn.ubuntu.com/3922-1/
USN-3922-1: PHP vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugs.php.net/bug.php?id=77630
PHP :: Sec Bug #77630 :: rename() across the device may allow unwanted access during processingIssue Tracking;Patch;Vendor Advisory
Products affected by CVE-2019-9637
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*